thr3ads.net - Shorewall users - [Shorewall-users] Some IP''s does not respond [May 2003]

If this information is useful, please help other people find it:
Share via:

Per Krogh Nielsen

2003-May-13 23:15 UTC

[Shorewall-users] Some IP''s does not respond

Hi,

I''m running shorewall 1.4.2 on a debian system.

I got this problem that some of my wan ip''s doesn''t respond to
traffic.

Wan : 80.164.172.0/28 connected to eth0
Lan : 192.168.2.0/24 connected to eth1

On the lan I have to computers running exchange server, 192.168.2.1,  and
terminal server, 192.168.2.2.

I would like  to run ftp/smtp/www on one of the firewall''s
ip''s, 192.168.2.4


 internet ---> FW  eth0 : 80.164.172.0/28
                          eth1 :192.168.2.254 gateway for 192.168.2.0/24
                            |      192.168.2.3     used for misc services
                            |      192.168.2.4     used for webserver
                            |
                        switch--> 192.168.2.1 exchangeserver
                            |
                           +------> 192.168.2.2 terminal server
                            |
                           +------> 192.168.2.64/26  Workstations
                                        

The nat for 80.164.172.11+12 -> 192.168.2.1+2 works great. But not the one
for 80.164.172.14 -> 192.168.2.4.

in rules file :
#exchange server
ACCEPT          all             loc:192.168.2.1 tcp     25,80,110,143,3389
#termserver
ACCEPT          all             loc:192.168.2.2 tcp     3389

And now the trouble :
ACCEPT          net             fw:192.168.2.4 tcp    
21,22,25,80,110,143,ftp-data

I can''t get any response from the rule.
The above rules for exchange and termserver are working just fine.

What am I doing wrong ? 

I have tried loc:192.168.2.4 as well. No luck either.

Traffic from Lan to internet and firewall are ok.

Planned use of ip''s :

80.164.172.1  firewall''s ip
80.164.172.2 - 9 VPN usage. Later... Not now.
80.164.172.10 masq address for lan
80.164.172.11 exchange server - nat''ed to 192.168.2.1
80.164.172.12 terminal server   - nat''ed to 192.168.2.2
80.164.172.13 testing of services
80.164.172.14 webserver   - nat''ed to 192.168.2.4 (if it would work)


TIA.

Per Nielsen   :-)



---- INFO -----
### shorewall version ###
ncc1701:~# shorewall version
1.4.2

### uname -a ###
uname -a
Linux ncc1701 2.4.18-bf2.4 #1 Son Apr 14 09:53:28 CEST 2002 i586 unknown unknown
GNU/Linux

### ip addr show ###
ncc1701:~# ip addr show
1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue 
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
    link/ether 00:e0:7d:02:0c:15 brd ff:ff:ff:ff:ff:ff
    inet 80.164.172.1/28 brd 80.164.172.15 scope global eth0
    inet 80.164.172.11/28 brd 80.164.172.15 scope global secondary eth0
    inet 80.164.172.12/28 brd 80.164.172.15 scope global secondary eth0
    inet 80.164.172.14/28 brd 80.164.172.15 scope global secondary eth0
    inet 80.164.172.10/28 brd 80.164.172.15 scope global secondary eth0:0
3: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
    link/ether 00:e0:7d:02:0c:16 brd ff:ff:ff:ff:ff:ff
    inet 192.168.2.254/24 brd 192.168.2.255 scope global eth1
    inet 192.168.2.3/24 brd 192.168.2.255 scope global secondary eth1
    inet 192.168.2.4/24 brd 192.168.2.255 scope global secondary eth1

### ip route show ###
ncc1701:~# ip route show
80.164.172.0/28 dev eth0  proto kernel  scope link  src 80.164.172.1 
192.168.2.0/24 dev eth1  proto kernel  scope link  src 192.168.2.254 
default via 62.242.27.189 dev eth0 
default via 80.164.172.1 dev eth0  scope link 

### lsmod ###
ncc1701:~# lsmod
Module                  Size  Used by    Not tainted
nls_cp437               4384   0  (autoclean)
ipt_TOS                 1024  16  (autoclean)
ipt_LOG                 3136   4  (autoclean)
ipt_REJECT              2816   6  (autoclean)
ipt_state                608  70  (autoclean)
iptable_mangle          2112   1  (autoclean)
ip_nat_irc              2304   0  (unused)
ip_nat_ftp              2912   0  (unused)
iptable_nat            12628   3  [ip_nat_irc ip_nat_ftp]
ip_conntrack_irc        2432   0  (unused)
ip_conntrack_ftp        3168   0  (unused)
ip_conntrack           12652   4  [ipt_state ip_nat_irc ip_nat_ftp iptable_nat
ip_conntrack_irc ip_conntrack_ftp]
iptable_filter          1728   1  (autoclean)
ip_tables              10432   9  [ipt_TOS ipt_LOG ipt_REJECT ipt_state
iptable_mangle iptable_nat iptable_filter]
keybdev                 1664   0  (unused)
usbkbd                  2848   0  (unused)
usbcore                48000   0  [usbkbd]
input                   3040   0  [keybdev usbkbd]


### nat ###
#EXTERNAL       INTERFACE       INTERNAL        ALL INTERFACES          LOCAL
80.164.172.11   eth0            192.168.2.1     No                      No
80.164.172.12   eth0            192.168.2.2     No                      No
80.164.172.14   eth0            192.168.2.4     No                      No

### zone ###
net     Net             Internet
loc     Local           Local Networks

### interface ###
net     eth0            80.164.172.15           routefilter,norfc1918  
loc     eth1            192.168.2.255

### masq ###
eth0:0                  192.168.2.64/26  80.164.172.10

### rules ###
ACCEPT          all             net             tcp     53
ACCEPT          all             net             udp     53

ACCEPT          all             fw              tcp     53
ACCEPT          all             fw              udp     53

#
ACCEPT          loc             fw              tcp     22
ACCEPT          net             fw              tcp     22,80
#

# Traceroute
ACCEPT          all             fw              udp     33434:33600
ACCEPT          all             loc:192.168.2.1         udp     33434:33600
ACCEPT          all             loc:192.168.2.4         udp     33434:33600   

# NCC1701
ACCEPT          net             fw:192.168.2.4 tcp    
21,22,25,80,110,143,ftp-data

# SERVER og TERMSERVER
ACCEPT          all             loc:192.168.2.1 tcp     25,80,110,143,3389
ACCEPT          all             loc:192.168.2.2 tcp     3389


 <<status.txt>> 









-------------- next part --------------
Shorewall-1.4.2 Status at ncc1701 - Wed May 14 08:54:54 CEST 2003

Counters reset Wed May 14 08:54:08 CEST 2003

Chain INPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DROP      !icmp --  *      *       0.0.0.0/0            0.0.0.0/0   
state INVALID
    0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0
    0     0 eth0_in    all  --  eth0   *       0.0.0.0/0            0.0.0.0/0
   62  3200 eth1_in    all  --  eth1   *       0.0.0.0/0            0.0.0.0/0
    0     0 common     all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0   
LOG flags 0 level 6 prefix `Shorewall:INPUT:REJECT:''
    0     0 reject     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DROP      !icmp --  *      *       0.0.0.0/0            0.0.0.0/0   
state INVALID
    7   504 eth0_fwd   all  --  eth0   *       0.0.0.0/0            0.0.0.0/0
   11   568 eth1_fwd   all  --  eth1   *       0.0.0.0/0            0.0.0.0/0
    0     0 common     all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0   
LOG flags 0 level 6 prefix `Shorewall:FORWARD:REJECT:''
    0     0 reject     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain OUTPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DROP      !icmp --  *      *       0.0.0.0/0            0.0.0.0/0   
state INVALID
    0     0 ACCEPT     all  --  *      lo      0.0.0.0/0            0.0.0.0/0
    0     0 fw2net     all  --  *      eth0    0.0.0.0/0            0.0.0.0/0
   38  2312 fw2loc     all  --  *      eth1    0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain all2all (0 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0   
state RELATED,ESTABLISHED
    0     0 newnotsyn  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
state NEW tcp flags:!0x16/0x02
    0     0 common     all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0   
LOG flags 0 level 6 prefix `Shorewall:all2all:REJECT:''
    0     0 reject     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain common (4 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 icmpdef    icmp --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 REJECT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0   
udp dpts:137:139 reject-with icmp-port-unreachable
    0     0 REJECT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0   
udp dpt:445 reject-with icmp-port-unreachable
    0     0 REJECT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
tcp dpt:139 reject-with icmp-port-unreachable
    0     0 REJECT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
tcp dpt:445 reject-with icmp-port-unreachable
    0     0 reject     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
tcp dpt:135
    0     0 DROP       udp  --  *      *       0.0.0.0/0            0.0.0.0/0   
udp dpt:1900
    0     0 DROP       all  --  *      *       0.0.0.0/0           
255.255.255.255
    0     0 DROP       all  --  *      *       0.0.0.0/0            224.0.0.0/4
    0     0 reject     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
tcp dpt:113
    0     0 DROP       udp  --  *      *       0.0.0.0/0            0.0.0.0/0   
udp spt:53 state NEW
    0     0 DROP       all  --  *      *       0.0.0.0/0           
80.164.172.15
    0     0 DROP       all  --  *      *       0.0.0.0/0           
192.168.2.255

Chain dynamic (4 references)
 pkts bytes target     prot opt in     out     source               destination

Chain eth0_fwd (1 references)
 pkts bytes target     prot opt in     out     source               destination
    7   504 dynamic    all  --  *      *       0.0.0.0/0            0.0.0.0/0
    7   504 net2loc    all  --  *      eth1    0.0.0.0/0            0.0.0.0/0

Chain eth0_in (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 dynamic    all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 net2fw     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain eth1_fwd (1 references)
 pkts bytes target     prot opt in     out     source               destination
   11   568 dynamic    all  --  *      *       0.0.0.0/0            0.0.0.0/0
   11   568 loc2net    all  --  *      eth0    0.0.0.0/0            0.0.0.0/0

Chain eth1_in (1 references)
 pkts bytes target     prot opt in     out     source               destination
   62  3200 dynamic    all  --  *      *       0.0.0.0/0            0.0.0.0/0
   62  3200 loc2fw     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain fw2all (2 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0   
state RELATED,ESTABLISHED
    0     0 newnotsyn  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
state NEW tcp flags:!0x16/0x02
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain fw2loc (1 references)
 pkts bytes target     prot opt in     out     source               destination
   38  2312 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0   
state RELATED,ESTABLISHED
    0     0 newnotsyn  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
state NEW tcp flags:!0x16/0x02
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            192.168.2.1 
state NEW udp dpts:33434:33600
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            192.168.2.4 
state NEW udp dpts:33434:33600
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            192.168.2.1 
state NEW tcp dpt:25
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            192.168.2.1 
state NEW tcp dpt:80
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            192.168.2.1 
state NEW tcp dpt:110
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            192.168.2.1 
state NEW tcp dpt:143
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            192.168.2.1 
state NEW tcp dpt:3389
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            192.168.2.2 
state NEW tcp dpt:3389
    0     0 fw2all     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain fw2net (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0   
state RELATED,ESTABLISHED
    0     0 newnotsyn  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
state NEW tcp flags:!0x16/0x02
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
state NEW tcp dpt:53
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0   
state NEW udp dpt:53
    0     0 fw2all     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain icmpdef (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0   
icmp type 8

Chain loc2all (3 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0   
state RELATED,ESTABLISHED
    0     0 newnotsyn  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
state NEW tcp flags:!0x16/0x02
    1    48 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain loc2fw (1 references)
 pkts bytes target     prot opt in     out     source               destination
   62  3200 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0   
state RELATED,ESTABLISHED
    0     0 newnotsyn  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
state NEW tcp flags:!0x16/0x02
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
state NEW tcp dpt:53
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0   
state NEW udp dpt:53
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
state NEW tcp dpt:22
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0   
state NEW udp dpts:33434:33600
    0     0 loc2all    all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain loc2loc (0 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0   
state RELATED,ESTABLISHED
    0     0 newnotsyn  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
state NEW tcp flags:!0x16/0x02
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            192.168.2.1 
state NEW udp dpts:33434:33600
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            192.168.2.4 
state NEW udp dpts:33434:33600
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            192.168.2.1 
state NEW tcp dpt:25
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            192.168.2.1 
state NEW tcp dpt:80
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            192.168.2.1 
state NEW tcp dpt:110
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            192.168.2.1 
state NEW tcp dpt:143
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            192.168.2.1 
state NEW tcp dpt:3389
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            192.168.2.2 
state NEW tcp dpt:3389
    0     0 loc2all    all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain loc2net (1 references)
 pkts bytes target     prot opt in     out     source               destination
   10   520 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0   
state RELATED,ESTABLISHED
    0     0 newnotsyn  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
state NEW tcp flags:!0x16/0x02
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
state NEW tcp dpt:53
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0   
state NEW udp dpt:53
    1    48 loc2all    all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain net2all (2 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0   
state RELATED,ESTABLISHED
    0     0 newnotsyn  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
state NEW tcp flags:!0x16/0x02
    0     0 common     all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0   
LOG flags 0 level 6 prefix `Shorewall:net2all:DROP:''
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain net2fw (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0   
state RELATED,ESTABLISHED
    0     0 newnotsyn  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
state NEW tcp flags:!0x16/0x02
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
state NEW tcp dpt:53
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0   
state NEW udp dpt:53
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
state NEW tcp dpt:22
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
state NEW tcp dpt:80
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0   
state NEW udp dpts:33434:33600
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            192.168.2.4 
state NEW tcp dpt:21
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            192.168.2.4 
state NEW tcp dpt:22
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            192.168.2.4 
state NEW tcp dpt:25
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            192.168.2.4 
state NEW tcp dpt:80
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            192.168.2.4 
state NEW tcp dpt:110
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            192.168.2.4 
state NEW tcp dpt:143
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            192.168.2.4 
state NEW tcp dpt:20
    0     0 net2all    all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain net2loc (1 references)
 pkts bytes target     prot opt in     out     source               destination
    7   504 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0   
state RELATED,ESTABLISHED
    0     0 newnotsyn  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
state NEW tcp flags:!0x16/0x02
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            192.168.2.1 
state NEW udp dpts:33434:33600
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            192.168.2.4 
state NEW udp dpts:33434:33600
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            192.168.2.1 
state NEW tcp dpt:25
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            192.168.2.1 
state NEW tcp dpt:80
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            192.168.2.1 
state NEW tcp dpt:110
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            192.168.2.1 
state NEW tcp dpt:143
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            192.168.2.1 
state NEW tcp dpt:3389
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            192.168.2.2 
state NEW tcp dpt:3389
    0     0 net2all    all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain newnotsyn (11 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain reject (5 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 REJECT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
reject-with tcp-reset
    0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0   
reject-with icmp-port-unreachable

Chain shorewall (0 references)
 pkts bytes target     prot opt in     out     source               destination


NAT Table

Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 eth0_in    all  --  eth0   *       0.0.0.0/0            0.0.0.0/0

Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 eth0_out   all  --  *      eth0    0.0.0.0/0            0.0.0.0/0
    0     0 eth0_masq  all  --  *      eth0    0.0.0.0/0            0.0.0.0/0

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain eth0_in (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DNAT       all  --  *      *       0.0.0.0/0           
80.164.172.11      to:192.168.2.1
    0     0 DNAT       all  --  *      *       0.0.0.0/0           
80.164.172.12      to:192.168.2.2
    0     0 DNAT       all  --  *      *       0.0.0.0/0           
80.164.172.14      to:192.168.2.4

Chain eth0_masq (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 SNAT       all  --  *      *       192.168.2.64/26      0.0.0.0/0   
to:80.164.172.10

Chain eth0_out (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 SNAT       all  --  *      *       192.168.2.1          0.0.0.0/0   
to:80.164.172.11
    0     0 SNAT       all  --  *      *       192.168.2.2          0.0.0.0/0   
to:80.164.172.12
    0     0 SNAT       all  --  *      *       192.168.2.4          0.0.0.0/0   
to:80.164.172.14

Mangle Table

Chain PREROUTING (policy ACCEPT 81 packets, 4312 bytes)
 pkts bytes target     prot opt in     out     source               destination
   81  4312 pretos     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain INPUT (policy ACCEPT 63 packets, 3240 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain FORWARD (policy ACCEPT 18 packets, 1072 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 38 packets, 2312 bytes)
 pkts bytes target     prot opt in     out     source               destination
   38  2312 outtos     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain POSTROUTING (policy ACCEPT 56 packets, 3384 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain outtos (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 TOS        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
tcp dpt:110 TOS set 0x10
    0     0 TOS        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
tcp spt:110 TOS set 0x10
    0     0 TOS        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
tcp dpt:22 TOS set 0x10
   38  2312 TOS        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
tcp spt:22 TOS set 0x10
    0     0 TOS        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
tcp dpt:21 TOS set 0x10
    0     0 TOS        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
tcp spt:21 TOS set 0x10
    0     0 TOS        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
tcp spt:20 TOS set 0x08
    0     0 TOS        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
tcp dpt:20 TOS set 0x08

Chain pretos (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 TOS        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
tcp dpt:110 TOS set 0x10
    0     0 TOS        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
tcp spt:110 TOS set 0x10
   73  3760 TOS        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
tcp dpt:22 TOS set 0x10
    7   504 TOS        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
tcp spt:22 TOS set 0x10
    0     0 TOS        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
tcp dpt:21 TOS set 0x10
    0     0 TOS        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
tcp spt:21 TOS set 0x10
    0     0 TOS        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
tcp spt:20 TOS set 0x08
    0     0 TOS        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
tcp dpt:20 TOS set 0x08

tcp      6 431963 ESTABLISHED src=192.168.2.67 dst=217.157.136.52 sport=1217
dport=22 src=217.157.136.52 dst=80.164.172.10 sport=22 dport=1217 [ASSURED]
use=1
tcp      6 431999 ESTABLISHED src=192.168.2.67 dst=192.168.2.254 sport=1199
dport=22 src=192.168.2.254 dst=192.168.2.67 sport=22 dport=1199 [ASSURED] use=1
tcp      6 22 TIME_WAIT src=66.227.104.103 dst=80.164.172.10 sport=43307
dport=80 src=80.164.172.10 dst=66.227.104.103 sport=80 dport=43307 [ASSURED]
use=1
udp      17 47 src=192.168.2.1 dst=193.88.44.42 sport=1082 dport=53
src=193.88.44.42 dst=80.164.172.11 sport=53 dport=1082 [ASSURED] use=1
tcp      6 431699 ESTABLISHED src=192.168.2.67 dst=217.157.136.52 sport=1101
dport=143 src=217.157.136.52 dst=80.164.172.10 sport=143 dport=1101 [ASSURED]
use=1
tcp      6 424414 ESTABLISHED src=192.168.2.67 dst=217.157.136.52 sport=1914
dport=22 src=217.157.136.52 dst=80.164.172.10 sport=22 dport=1914 [ASSURED]
use=1
tcp      6 74 SYN_SENT src=192.168.2.1 dst=209.204.62.47 sport=2731 dport=25
[UNREPLIED] src=209.204.62.47 dst=80.164.172.11 sport=25 dport=2731 use=1
tcp      6 431700 ESTABLISHED src=192.168.2.67 dst=217.157.136.52 sport=1174
dport=143 src=217.157.136.52 dst=80.164.172.10 sport=143 dport=1174 [ASSURED]
use=1
tcp      6 431940 ESTABLISHED src=192.168.2.67 dst=62.243.74.162 sport=1417
dport=119 src=62.243.74.162 dst=80.164.172.10 sport=119 dport=1417 [ASSURED]
use=1
tcp      6 22 TIME_WAIT src=66.227.104.103 dst=80.164.172.10 sport=43308
dport=80 src=80.164.172.10 dst=66.227.104.103 sport=80 dport=43308 [ASSURED]
use=1

Per Krogh Nielsen

2003-May-15 00:35 UTC

head link

[Shorewall-users] Some IP''s does not respond

> >
> > And now the trouble :
> > ACCEPT          net             fw:192.168.2.4 tcp     
> > 21,22,25,80,110,143,ftp-data
> 
> ftp-data should NEVER be seen as a destination port.
OK.
> 
> > I can''t get any response from the rule.
> > The above rules for exchange and termserver are working just fine.
> >
> > What am I doing wrong ?
> 
> You are trying to use static NAT on a firewall internal 
> address. Shorewall 
> is designed to only handle static nat for local addresses 
> that are NOT on 
> the firewall. While I would have thought that it should "sort 
> of" work, I 
> would not be surprised if it doesn''t.
OK. That explains a lot.
> Several questions:
> 
> a) Why don''t you just have the web server bind to 0.0.0.0 and 
> forget NAT? 
> You can use firewall rules to only accept WWW on 
> 80.164.172.14 from the net 
> and 192.168.2.4 from the local net. If you do that, you will 
> have to get 
> rid of a rule that you didn''t show us that is opening TCP port 80 
> unconditionally from the net to the firewall.
This one ? 
ACCEPT          net             fw              tcp     22,80
I did this to make the websites work while sorting out these problems.
The users access sites in form of http://80.164.172.1/<page> .

 > b) Why are you ACCEPTing 21,22,25,110,143 (and ftp-data) if 
> all you are 
> running on the firewall is a web server?
It''s running proftp, postfix, and courier-imap/pop3 as well.
The ssh is for me only. I quess I should use the 80.164.172.1 instead.
> 
> c) Do you REALLY want to run a web server on your firewall? 
> While Apache 
> has a pretty good security record, it isn''t perfect.
Well. It''s all I got. And the load will not be high. Some small sites,
and some company internal sites. 

Perhaps I should grab an old workstation and make a firewall-only host of it.
> If you still want to keep your current setup then get rid of 
> the nat file 
> entry for 192.168.2.4 and replace your rule with this one:
> 
> DNAT	net	fw:192.168.2.4	tcp	80	-	80.614.172.14
OK. I''ll try that after work hours. Thanks a lot. 

Per Nielsen  :-)

Shorewall users - May 2003 - Some IP''s does not respond

[Shorewall-users] Some IP''s does not respond

[Shorewall-users] Some IP''s does not respond